What Is Dynamic Application Security Testing (DAST)? | AppSec 101

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Welcome everyone to another episode of AppSec 101. Today we're going to be diving into the topic of "What is DAST?" DAST is dynamic application security testing and with us today I have a DAST expert on the line it's Rick Smith and he is over our Fortify WebInspect product which is a dynamic application testing tool so Rick I'll hand it off to you and maybe you can give us just a quick background about yourself a little bit of an intro and some of your experience cool sounds good yeah so my name's Rick Smith based in Chapin, South Carolina so yeah I came to Fortify it's about seven years ago prior to that I've involved in IT for about 20 years so Network integrations and network security side of things came into the Fortify organization supporting our customers on using our products and then two or three years ago moved into product management so yeah now handling our dynamic application security testing products so WebInspect and WebInspect Enterprise as well as our Fortify on Demand customers were using those products as well awesome and Rick to start things off maybe we could just talk a little bit about the basics of dest sure sure so yeah DAST stands for dynamic application security testing as was mentioned a moment ago and with DAST solutions we're actually testing running applications so typically when you're testing for security vulnerabilities there's two major ways of doing that one is static application security testing the other is desk static being an analysis of source code dynamic being an analysis of the running application so we focus on that running application with our WebInspect products everything in that kind of line and that involves kind of performing a crawl of that application which means you give us a URL for a web application or you give us an API endpoint and we enumerate we identify you know everything that is involved in that application so if it's a website you know we crawl out the application we follow the links we identify parameters and inputs and then the second phase is where we audit that application so we start analyzing the application and looking for vulnerabilities kind of a common way to look at that phase is a pen tester in a box so obviously you don't kind of have the human element that is involved with a pen tester where they can kind of see some of the more business logic types of things but be able to very rapidly scan large applications and many applications with you know a tool like WebInspect or with any DAST tool and identify vulnerabilities so it's it's all happening at kind of that network level so you know over HTTP or HTTPS so we're making requests we see you know a response that comes back and we identify maybe we can identify an input on that page and then we send attacks where we try to elicit a response based off of that response we're able to identify a large count of vulnerabilities everything from sequel injection cross-site scripting to even things like you know weak cipher and more environmental types of problems so you touched a little bit on SAST and DAST and kind of the differences between the two maybe you could dive into that a little bit more and and touch on the differences between SAST and DAST but also maybe how they complement each other sure sure so yeah difference between SAST and DAST so static application security testing is again you know focused on source code so what happens there is we and Fortify has products that support that we pull in source code we translate that source code to an intermediate model that sort of sort of flattens it out makes you know all different languages look like it's a similar structure and then we're able to apply rules to identify vulnerabilities in that source code so we apply a rule that's able to trace data flow through source code to identify different types of vulnerabilities like as I mentioned cross-site scripting or SQL injection or any of the you know thousands of vulnerabilities that that we're able to detect the difference with dynamic is you know that we're actually looking at that running application we're making a request to a web server and that has typically a web application server something like Tomcat or is has an application that's running on it we make a request and we get a response and based off of that response we do further request or further analysis to identify vulnerabilities they complement each other very well you know static analysis is is really good at highlighting source code weaknesses so things that may or may not be a vulnerability based off of you know the context of the application in many ways so you're gonna get more results out of static analysis typically because there's things you know behind the scenes that dynamic analysis can't see you know we're not going to typically see or do as good of a job on the backend applications as static analysis can but on the flip side you know the pros are that in with dynamic analysis we can see the front-end and we can see the configuration and we can see environment and those are things that typically static analysis aren't able to see so there's a lot of overlap you think about the Venn diagram the overlap is fairly significant but what's probably more significant or the areas where they do not overlap where they complement each other very well and so that's why we we really believe that you know for sort of good thorough application security testing you need to be running you have some form of static analysis as well as some form of dynamic analysis so you get a real good kind of understanding of the security posture of the application and then you know there are other other concerns that are that are out there you know static analysis you're obviously you're not running that against you know applications that are running in production you're running it against a source code that maybe you know promoted and published into production environments whereas dynamic analysis does give you that ability so like I said there's a lot of overlap but the really the interesting parts are where they're where they don't overlap and where they they you know very well compliment each other so you mentioned a Venn diagram and maybe let's dive into that a little bit more looking at the areas where SAST doesn't overlap with DAST what are some things that are unique to DAST and and maybe you could touch on some of the pros of DAST and then maybe some of the cons as well like what are some things that desk maybe isn't capable of doing yeah so you know the the classic area the the area that's really easy to explain and easy for customers to understand are things that involve the environment so if it's a be its weak cipher is SSL you know types of findings those are areas that static analysis isn't going to typically be as as good at protecting or as good at detecting I should say and that they typically can't see that there's they're obviously exceptions to that and you can you can identify you know weak in TLS algorithms of those types of things with static analysis but it's more difficult to see that real environmental side of things with static analysis dynamic analysis tends to tends to really shine in those areas it's also you know in a lot of ways it is there's going to be less noise just by virtue of the fact that what dynamic analysis is doing is behaving or analyzing the application in a very similar way as a human would analyze an application so if you think you know about the use case we're trying to protect applications from an attacker exploiting a vulnerability well dynamic analysis works much more similarly to the way an attacker would attack an application and that you know we are actually running in a browser we are exercising that application and identifying things that are kind of the lower hanging fruit in some cases and sometimes there or not but we're identifying those things that a human would actually be able to see whereas with static analysis there's you know that context isn't isn't quite the same static analysis you know basically you know detect any kind of weakness any kind of data flow whether it's actually surfaced to the user necessarily or not so there's you know their strengths and weaknesses there there's also some you know some strengths on dynamic analysis around API security in particular we start thinking about micro services and the way different services will interact with one and other dynamic analysis with some of the more recent innovations has actually gotten pretty good at kind of modeling those API is an understanding that you know input a is our output a is passed into input B in you know disparate api's so there's some some strengths there you know and they probably the last strengths is that you know we don't have to really know a whole lot about the source code that's being built are the applications being built in you know it's the the application is built and then you deployed and presented the runtime environment in most situations it's something that any browser can sort of consume and render to a user and sort of the way you know the way I sort of frame it with customers is if a browser can can view it the browser can return it and render it to you know a human then we should be able to scan it so in almost all situations that's the case and so that's you know one of the weaknesses of static is that you do have to understand the syntax of the language you have to understand the various code constructs dynamic doesn't have that same requirement we're able to so just see the application kind of in the way that a browser would see it yeah and I think that's a good point that you touched on because sometimes to fully secure an application you need to think the way that a hacker would and so it makes sense that you would want to kind of attack it from the outside in so to speak if you're prioritizing vulnerabilities which is kind of the name of the game you know it's prioritizing what you're working on we know that you know all teams can't remediate every single finding so if you're looking for the things that you should you know probably focus the most resources on in many situations those will turn out to be the things that a dynamic tool can detect for you and then and then you look at things about criticality so there's all kinds of different ways to measure that and to prioritize but you know focusing on things at a dynamic tool can see makes a lot of sense because those are going to be the same things that they don't attacker is able to see in many cases and Rick one thing that I think all security professionals can agree on is you know they know security is important they know they need be testing but one of the the reasons that people maybe don't test as often as they should is because it it can be time-consuming so maybe what's something that you would say to them as far as you know the importance of running regular tests and why should security professionals be using tools such as DAST? yeah that's a good question and things have changed a lot you know what we're seeing is that our customers are no longer using - tools to run a scan of a single application or a handful of applications you know just a few times a year they've actually got hundreds of applications and they still got you know two or three security folks in their organizations which makes it even more important because they don't you know we don't have the same that same ratio or we don't have a a better ratio of security testers to applications now we've got a lot more applications so it's important to lean on the tool and to make sure that you're tuning it and make sure that it's kind of doing a good job for you so - tools actually fit in really well there you know we know that teams don't have you know enough pen testers to cover all their applications so the model that we're we're really seeing that customers are trying to move toward towards is more of a holistic model where they're doing static analysis early they're doing that often they're identifying vulnerabilities soon as a part of their dev process and they're mediating those as they as they were and then they're using dynamic tools as well so they're you know integrating dynamic tools into their pipelines as well so that they're getting you know repeated scans and they're not having to run these sort of ad hoc scans that you know save up basically save that vulnerabilities still release time and then you've got this big panic so what about the at the end so it's really in the combination of those two that we're seeing is really working for customers and more and more customers are moving towards you know they're going on how to get things automated making sure they're scanning what matters making sure they're getting as much early feedback as they possibly can and getting that into the hands of their developers who can you know actually foundings versus you know saving that till the end where it just causes a you know a lot of friction not in their programs well let's talk for a minute about the future of dass and maybe where you see tests going in the next couple of years sure there yeah I think it's you know I think it's a lot of that holistic application security which is what we've really seen from our customers where we really see the industry going and it's you know it's about getting testing integrated you know into pipelines so that you know there's a little human interaction as possible so that you can really focus your time on remediating findings so what where we really see this going is that customers are spending much less time configuring tools and configuring scans and all those types of things and they're spending more time on actually remediating findings so that's a you know that's a very very strong theme in the app sec industry it's all around automation how can you make things easier how can you make things more accurate also there's a lot of things that we're you know we're looking at in terms of improving accuracy we're fortunate that dynamic application security testing tends to be very accurate but anything we can do to kind of reduce some of that noise is a is a big deal other other kind of themes that we're seeing is you know it's it's not only about automation but it's also about integrating into the existing tools that it exists you know the teams are using whether that's you know in QA using things like selenium scripts that are already there that teams are using for doing functional testing and using those to drive dynamic tests also so you get these really focused really fast kind of CI CD friendly scans or integrating into things like open API that that teams are using to define or to document their API is that gives us good kind of a good surface area for a dynamic scan or even things like postman integration so we're really seeing a lot of that that integration story is becoming more and more important because it it makes it easier to automate and it reduces a lot of the manual efforts that have been typically existed for folks who are running you know dynamic application security testing programs a lot of automation a lot of integration and as you mentioned earlier kind of getting it integrated and doing it as early in the in the process as possible well Rick maybe to wrap up you know you're the you're the product manager for Fortify WebInspect and also you know Fortify on Demand if you could touch on how these products kind of solve some of these use cases that you've mentioned and how they help meet the needs of security professionals when they're doing this type of testing sure sure so yeah Fortify on Demand uses our dynamic application security testing products so it uses WebInspect as well as some other you know other kind of in-house developed tools but primarily the primary engine that's used and sort of found a man is is WebInspect so we run you know thousands of dynamic scans against customer applications what Fortify on Demand adds to the WebInspect scan is a you know an expert user of WebInspect and application security specialist who configures that scan is able to then you know interpret results and remove false positives and and make sure that the scan is tuned properly so it kind of closes some of that that people gap that we've seen you know lots and lots of our customers both both small and large have in terms of having the right resources to run scans so you know so it's a really good solution for getting results very very rapidly you don't have to you don't have to install anything you don't have to you know have to know the product you basically just have to provide us with a URL it's a four to five and a man really really death benefits there and then you know in the other direction for the final demand actually benefits web inspect its we've got feedback loops they're sort of established that benefit our on-prem customers and that you know features and functionality and tuning and accuracy is all improved because we've got some of the best application security testers in the world running the tools and providing us feedback and telling us when we we've messed up when there's a bug when we're you know flagging things that are not real those types of things so we are able to improve the product so that sort of symbiotic relationship worked really well that that sort of feedback loop has worked really well and the tools are really good at you know flagging those vulnerabilities providing customers with the details that they need to secure their applications that's that's the name of the game and that's you know fundamentally what they're they're here for is to make it easy for a customer to scan an application and to identify vulnerabilities and remediate them and to secure those applications so we definitely try to try to make that as as easy and as painless as a of a process as possible definitely definitely always room for improvement were always always you know working to sharpen the blade there and to make things even better and better but we do think you know the tools do a really good job of providing that level of feedback that customers need to secure their applications and to secure their programs well Rick I appreciate you taking some time to speak with me today and to talk a little bit about DAST and why it's important and you know to our viewers if you have any questions please feel free to comment below and we look forward to seeing you in another episode of AppSec 101 thanks thank you
Info
Channel: Fortify Unplugged
Views: 7,292
Rating: undefined out of 5
Keywords: application security testing, software vulnerability testing, Secure DevOps, secure software development, appsec, Micro Focus, cybersecurity, DAST, SAST, Fortify, DevSecOps, CI/CD, software vulnerabilities, dynamic application security testing (dast), dynamic application security testing, dynamic application, application security, web application security, owasp
Id: 6okVFkDKORg
Channel Id: undefined
Length: 19min 40sec (1180 seconds)
Published: Thu Jul 09 2020
Related Videos
What is Static Code Analysis? | AppSec 101
Fortify Unplugged
5.2K
SAST, DAST, AND IAST: Why the difference matters
Equal Experts
1.7K
What is API Security? | AppSec 101
Fortify Unplugged
3.1K
DevSecOps tutorial: What is it, and how can it improve application security?
TechRepublic
1.5K
What is Container Security? | AppSec 101
Fortify Unplugged
2K
DIY Pen-Testing for Your Kubernetes Cluster - Liz Rice, Aqua Security
CNCF [Cloud Native Computing Foundation]
6.4K
AWS re:Inforce 2019: The Fundamentals of AWS Cloud Security (FND209-R)
Amazon Web Services
91K
Practical DevSecOps Workshop - is DAST the gift or bane? with Mohammed A. Imran
OWASP DevSlop
1.4K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.